Re: Bash security issue

[Shawn H Corey]

On Thu, 25 Sep 2014 09:53:14 -0600
Eric Blake <address@hidden> wrote:

> On 09/25/2014 09:45 AM, Shawn H Corey wrote:
> > On Thu, 25 Sep 2014 08:55:45 -0600
> > Eric Blake <address@hidden> wrote:
> > 
> >> On 09/25/2014 07:51 AM, Bob Friesenhahn wrote:
> >>> It may be that some users of 'autoconf' will be at risk due to the
> >>> dire bash security bug described at
> >>> "http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/";.
> >>>
> >>> Take care that the environment is carefully vetted.
> >>
> >> There's nothing that ./configure can do to avoid the buggy bash,
> >> but it may indeed be worth patching autoconf to generate configure
> >> scripts that issue a loud warning if the buggy shell is detected on
> >> the user's system.  I'll look into doing that.
> >>
> > 
> > You may be premature. I think the patch will be out before Monday.
> > If so, your effort will be wasted. :)
> 
> Huh? There is no wasted effort in teaching configure scripts to warn
> users that they are running on an unpatched vulnerable system.  Just
> because a fix may be available doesn't mean everyone is running the
> fix.
> 

That's only a partial solution. The problem is with bash(1), not your
scripts. If you warn about one security issue, then people will count
on you to warn them about _all_ the security issues. People are lazy
and will jump to conclusions to avoid work.

You should only worry about security for the software you are directly
responsible for. Otherwise, people will expect you to fix everything
and complain unfairly when you can't.


-- 
Don't stop where the ink does.
        Shawn